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Abstract: We show that two new key exchange protocols with security 
based on the triple decomposition problem may have security based on the 
MSCSP. 



1 Introduction 

Recently a new key exchange primitive based the triple DP (decomposition 
problem) is proposed in [1] and the triple DP is defined in [1] as finding the 
decomposition of a given element into three elements (that are not known). 

One purpose of inventing the above scheme of [1] is its security is based on 
hard problems in braid groups such that a linear algebraic attack is not possible. 
It is claimed in [1] that the security of the new scheme is based on the triple 
DP in any G. If G is a group / the private keys are invertible then we show 
that the scheme in [1] is based on the CSP (conjugacy search problem) or the 
MSCSP (multiple simultaneous CSP) hence the algorithms in [1] are no more 
secure than using other key agreement algorithms using the CSP or MSCSP 
and hence the new scheme in [1] can be attacked feasibly using linear algebra 
if using braid groups (or the new scheme can be attacked with any algorithm 
that gives solutions of the CSP or MSCSP). There is a linear algebraic method 
to find solutions of the MSCSP which has been used to attack the braid key 
exchange protocol of Anshel-Anshel-Goldfeld [2] and this attack can be used to 
attack the new scheme with linear algebra. 

2 Description of the New Protocols Based on the Triple Decom- 
position Problem 

In this section the protocols are described using original portions of sections 
2 and 3 taken from the preprint [1] (hence the protocols are described as exactly 
as in [1]). 



2.1 Suggested Subgroup Parameters 

In this section the protocols are described using original portions of sections 
5 taken from the preprint [1] (hence the parameters are described as exactly as 
in [1]). 

3 Security Of the Protocols based on the Triple Decomposition 
Problem 

If G is a group (it is suggested in [1] that G may be a group an example 
given in [1] for G is the braid group) or the private keys are invertible then we 
can show the following. In this section we give our new result that the security 
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of the new protocols in [1] is based on a system of equations (1 & 2 below), 
MSCSP or the CSP in G. 

3.1 The First Protocol 

Compute Oi = pqr = {b 1 y 1 )(y^ 1 b 2 y2){y2 1 h) = hb 2 b 3 
Compute O^pqJjr = 0^ 1 (b 1 y 1 )(y^[ 1 b 2 y 2 )J I (y2 1 b 3 ) 

= (b^W^b^Jibs 
= b- 1 J/6 3 for 1 < I < K x 

&3 1 J/6 3 for 1 < I < K x (1) 

For some integer K\ and Jj (Jj may be braids) chosen by the attacker. 
Compute pTjqrO^ 1 = (b 1 y 1 )T I (y^ 1 b 2 y 2 )(y^ 1 b 3 )0^ 1 
= 6^/6263(63 1 b 2 1 b^ 1 ) = hT^ 1 for 1 < 7 < K 2 

b^b^ 1 foil<I<K 2 (2) 

For some integer K 2 and Tj chosen by the attacker. Observe the elements 
Jj are chosen from the A 3 (because of the commutativity conditions of the 
protocols) and the elements Tj are chosen from A 2 . To find 6 2 compute 6 2 = 
6 1 " 1 Oi6^" 1 and now Bob's private key is known and so the secret shared key can 
be constructed. Hence from the systems of equations 1 and 2 the security of the 
protocol can be based on the MSCSP [3] (which includes the CSP) hence we 
have shown that the security of the new protocol in [1] is based on solving the 
MSCSP twice. A very similar derivation show the security of the new protocol 
is also based on two MSCSP with the unknowns a\ and 03. An observation 
from the above is for any G the above the security of the protocol can also 
be based on (MSDSP) multiple simultaneous decomposition search problem 
for example (using the above computations) by solving the equations 6162 J/ 63 
for 63,61^6263 for 61 and then solving for 6 2 using 61 and 63 and using the 
publicly known information (again there is a similar result using Alice's private 
keys) and not the triple decomposition problem. Observe that for the possible 
specific parameters suggested in [1] satisfy commutativity conditions such as B 2 
commutes with A 2 etc. in addition to the required commutativity conditions 
which are necessary for the protocol to work. We can use these above additional 
commutativity conditions to show the security can be based on the CSP as 
follows. We can solve MSCSP for aiand 63 as described as above. Let 2 = 
uvw — a\a 2 a 3 . 

To recover the common secret key compute 
2 ~ 1 ai(Oi63 1 )a^ 1 2 = a^a^ 1 (bib 2 )a 2 a 3 = a^ 1 (6162)03, 

a^ibib-^az (3) 

similarly 

O163 1 (ar 1 2 )6 3 0r 1 - b 1 (a 2 a 3 )b^ 1 

6i(a 2 a 3 )&r 1 (4) 
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we can solve for above 03, b\ by solving the CSP with 6162, 0*203 Or we can solve 
the 5,6 below for b\ and 03 as follows (so again the protocol can be based on 
the MSCSP). 

Attacker selects Vj commuting with a 2 but not with 03 or select Vi G B\ 
02 1 ai(Vi)a^ 1 2 = a^ 1 a2 1 (Vi)a 2 a 3 = a 3 Vja 3 

aa^as.far 1 < I < K 3 (5) 

similarly the attacker selects Wi commuting with b 2 but not with b\ or select 
Vi eA 3 

2 b 3 - 1 {W I )b 3 2 - 1 = hW^ 1 

bxWib^ 1 for 1 < I < K 4 (6) 

The above result also holds when different subgroups are used that satisfy the 
additional commutativity conditions (described above) for an arbitrary G. 

Observe that computing b\ and 63 from the MSCSP or CSP gives 
yi = bi p, y 2 x = rb^ 1 , hence b 2 = (bi 1 p)q(rb 3 ~ 1 ) (a 2 can be computed in a 
very similar way). 

To defend against the attack in section 3.1 of reconstructing the secret shared 
key by solving the MSCSP the private keys of Alice, Bob are chosen so that they 
not invertible. 

3.2 The Second Protocol 

The derivation to show the second protocol can be based on the MSCSP 
is identical to the derivation for the first protocol except the elements Jj are 
chosen from S V2 , the elements Tj are chosen from S Vl etc. hence the above 
observations also applies to the second protocol. To defend against the attack 
in section 3.1 of reconstructing the secret shared key by solving the MSCSP all 
the elements in the private keys of Alice, Bob are chosen so that they are all 
not invertible. 

4 Conclusion 

We have shown that two new key exchange protocols with security based on 
the triple decomposition problem may have security based on the MSCSP or 
the MSDSP. 
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Appendix 

We sketch the proof for the attacks considering the suggestion of 5.2.2 in [1]. 
We recover Bob's private key as follows. 

s 1 b 1 s^ 1 (s 2 y 1 s 2 1 )(s 2 y^ 1 s 2 1 )(s 3 b 2 s^ 1 )(s 4 y 2 1 s 4 1 )(s 4 y 2 s 4 ; l ){b 3 ) = 
s 1 bis^ 1 s 3 b 2 s^ 1 b 3 = Oi 

O^ 1 sxbis^ 1 {s 2 yis 2 1 )(s 2 y^ 1 s 2 1 )(s 3 b 2 s^ 1 )(s 4 y 2 s 4 1 )(s 4 H I s 4 1 ) 
{s 4 y 2 1 s^ 1 )(b 3 ) = 0^ 1 s 1 b 1 s^ 1 s 3 b 2 s^ 1 s 4 Hs^ 1 b 3 = b^ 1 s 4 H I s^ 1 b 3 . 
Hence b 3 can be found by solving the MSCSP. 
Then y 2 = {s^rb^ 1 s^ 1 
Now select J/ form A 2 . 

s 1 b 1 s^ 1 (s 2 y 1 s 2 1 )(s 2 J I s 2 1 )(s 2 y^ 1 s 2 1 )(s 3 b 2 s^ 1 )(s 4 y 2 s 4 1 )(s 4 y 2 1 

s 4 " 1 )(&3)or 1 = 

sihs 1 1 (s 2 y 1 s 2 1 ){s 2 J I s 2 1 )(s 2 y 1 1 s 2 1 ){s 3 b 2 s 3 1 ){s 4 y 2 s 4 1 )(s 4 y 2 1 s 4 1 ) 

(b 3 )((sib 1 s^ 1 )(s 2 yis 2 1 )(s 2 y^ 1 s 2 1 )(s 3 b 2 s^ 1 )(s 4 y 2 x s 4 1 )(s 4 y 2 s 4 ^(h))- 1 = 

= s 1 b 1 s^ 1 (s 2 y 1 s 2 1 )(s 2 J I s 2 1 )(s 2 y^ 1 s 2 1 )s 1 b^ 1 s^ 1 

= sibis^ 1 (s 2 J I s 2 1 )sib^ 1 s^ 1 

Hence b\ can be found by solving the MSCSP. 

Then yi = sib^ 1 s^ 1 s 2 ~ 1 ps 2 

Then we can recover Bob's second private key as 
(s 2 yis 2 1 )q(s 4 y 2 s^ 1 ) = (s 3 b 2 s 3 1 ) 

Now we have Bob's private key, the shared key is recovered as 
a 1 (s 1 x 1 s^ 1 )(s 1 b 1 s^ 1 )(s 1 x^ 1 s^ 1 )(s 2 a 2 s 2 1 )(s 3 x 2 s 3 1 )(s 3 b 2 s 3 1 )(s 3 x 2 1 s 3 1 ) 
(s 4 a3sl 1 )^3 = 

^(sixibix^ 1 s^ 1 )(s 2 a 2 s 2 1 )(s 3 x 2 b 2 x 2 1 s^ 1 )(s 4 a 3 s^ 1 )b 3 = shared key 
There are similar attacks for each of our above attacks. 
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